Plan for the people directory provider

IBM BPM, V8.0.1, All platforms > Install IBM BPM > Plan for IBM BPM > Plan to configure Business Process Choreographer > Plan for a custom configuration
Plan for the people directory provider

Plan the people directory provider, people substitution, virtual member manager, and Lightweight Directory Access Protocol (LDAP) settings for Business Process Choreographer.

Procedure

If you are going to use human tasks, decide which people directory providers you will use:

Virtual member manager (VMM) people directory provider

The VMM people directory provider is ready to use federated repositories (also known as virtual member manager) as is preconfigured for WebSphere security – using a file repository. If you want to use a different user repository with federated repositories, you will need to reconfigure federated repositories. The VMM people directory provider supports all Business Process Choreographer people assignment features including substitution. It relies on the features provided by federated repositories, such as support for different repository types, such as LDAP, database, file based, and property extension repository.
To use the VMM people directory provider requires that you have configured federated repositories for WebSphere Application Server security.
You can associate federated repositories with one or more user repositories, based on a file, LDAP, or a database. For more information about this, see Manage the realm in a federated repository configuration. For more information about using federated repositories, see IBM WebSphere Developer Technical Journal.

Lightweight Directory Access Protocol (LDAP) people directory provider

This people directory provider must be configured before you can use it. Perform the planning in step 2.

System people directory provider

This people directory provider can be used without configuring it. Do not use this provider for a production system, it is only intended for application development testing.

User registry people directory provider

This people directory provider can be used without configuring it. Depending on the WebSphere security realm definition, the user registry can use one of the following repositories:

Federated repository – which can use the following:

File registry
One or more LDAPs
One or more databases

Standalone LDAP
Standalone custom
Local operating system

If you are going to use the Lightweight Directory Access Protocol (LDAP), plan the following.

You might need to customize your own version of the LDAPTransformation.xsl file. For the location of that file and a list of properties that you might need to customize, see Configure the LDAP people directory provider.
Plan the following LDAP custom properties:
administrative console by clicking Security > Secure administration, applications, and infrastructure > Java Authentication and Authorization Service > J2C Authentication Data. If this alias is not set or if AuthenticationType is not set to simple then an anonymous logon to the LDAP server is used.

LDAP plug-in property Required or optional Description
AuthenticationType Optional If this property is set to simple, for simple authentication, then the AuthenticationAlias parameter is required. Otherwise, if it is not set, anonymous authentication is used.
BaseDN Required The base distinguished name (DN) for all LDAP search operations, for example, o=mycompany, c=us. To specify the directory root, specify an empty string using two single quotation marks, ''.
CasesentivenessForObjectclasses Optional Determines whether the names of LDAP object classes are case-sensitive.
ContextFactory Required Sets the Java™ Naming and Directory Interface (JNDI) context factory, for example, com.sun.jndi.ldap.LdapCtxFactory
ProviderURL Required This web address must point to the LDAP JNDI directory server and port. The format must be in normal JNDI syntax, for example, ldap://localhost:389. For SSL connections, use the LDAP's URL.
For a high availability configuration, where you have two or more LDAP servers that maintain mirrored data, plan to specify a URL for each LDAP server and use the space character to separate them.
SearchScope Required The default search scope for all search operations. Determines how deep to search beneath the baseDN property. Specify one of the following values: objectScope, onelevelScope, or subtreeScope
additionalParameterName1-5 and additionalParameterValue1-5 Optional Use these name-value pairs to set up to five arbitrary JNDI properties for the connection to the LDAP server.

If you are going to use the virtual member manager, plan the following.

You might need to customize your own version of the VMMTransformation.xsl file. For the location of that file and a list of properties that you might need to customize, refer to Configure the Virtual Member Manager people directory provider.

If you want to use people substitution, consider the following:

You must use the VMM people directory provider. The LDAP, system, and user registry people directory providers do not support people substitution.
If you are going to use people substitution in a production environment, plan to use the VMM Property Extension Repository to store the substitution information. The Property Extension Repository and, implicitly, the selected database must be unique and accessible from within the whole cell. As the BPEDB database is not necessarily unique within a cell, BPEDB cannot be used. You can use the common database, WPSRCDB, to host the Property Extension Repository, however, for a production environment, it is recommended to use a database that is independent of other Process Server databases.
To use people substitution in a single-server test environment, you can store people substitution information in the internal file registry that is configured for federated repositories.

Results
You have planned the people directory provider and people assignment options.

LDAP plug-in property	Required or optional	Description
AuthenticationType	Optional	If this property is set to simple, for simple authentication, then the AuthenticationAlias parameter is required. Otherwise, if it is not set, anonymous authentication is used.
BaseDN	Required	The base distinguished name (DN) for all LDAP search operations, for example, o=mycompany, c=us. To specify the directory root, specify an empty string using two single quotation marks, ''.
CasesentivenessForObjectclasses	Optional	Determines whether the names of LDAP object classes are case-sensitive.
ContextFactory	Required	Sets the Java™ Naming and Directory Interface (JNDI) context factory, for example, com.sun.jndi.ldap.LdapCtxFactory
ProviderURL	Required	This web address must point to the LDAP JNDI directory server and port. The format must be in normal JNDI syntax, for example, ldap://localhost:389. For SSL connections, use the LDAP's URL. For a high availability configuration, where you have two or more LDAP servers that maintain mirrored data, plan to specify a URL for each LDAP server and use the space character to separate them.
SearchScope	Required	The default search scope for all search operations. Determines how deep to search beneath the baseDN property. Specify one of the following values: objectScope, onelevelScope, or subtreeScope
additionalParameterName1-5 and additionalParameterValue1-5	Optional	Use these name-value pairs to set up to five arbitrary JNDI properties for the connection to the LDAP server.